Privacy Policy
Last updated: [Insert Date]
1. Introduction
[Insert Company Name] (“Nanbu,” “we,” “us,” or “our”) operates the website [Insert Website URL] (the “Platform”). This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use our Platform.
This Privacy Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
By using the Platform, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree, please do not use the Platform.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: Name, email address, password (hashed and salted, never stored in plaintext), and profile details you choose to provide.
- Creator application information: Display name, handle, bio, category, and any additional information submitted during the Creator application process.
- Content: Text, images, videos, audio files, and other media uploaded to the Platform by Creators.
- Communications: Messages sent through the Platform’s direct messaging and broadcast features, and any communications sent to our support team.
2.2 Information from Third-Party Services
- YouTube OAuth data: When a Creator connects their YouTube channel, we receive limited data via Google’s OAuth 2.0 protocol, including: YouTube channel name, channel ID, profile picture URL, and public video metadata. We store an encrypted refresh token (using AES-256-GCM encryption at the application layer) to maintain the connection. We do not access private YouTube videos, analytics, or subscriber lists.
- Payment information: Payment details (UPI ID, card information, bank account details) are collected and processed directly by our payment processor, Razorpay Software Private Limited. Nanbu does not store your full payment card numbers, CVV, or UPI PIN. We receive only transaction confirmation data (transaction ID, amount, status, payment method type) from Razorpay.
2.3 Information Collected Automatically
- Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution.
- Usage data: Pages visited, features used, time spent on pages, referral URLs, and interaction patterns with the Platform.
- Cookies and local storage: Session cookies for authentication, and preference cookies for Platform functionality. See Section 9 for details.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing and operating the Platform: Creating and managing your account, processing subscriptions, delivering content, and facilitating communication between Creators and Members.
- Content moderation: Scanning uploaded media (images and videos) using Amazon Web Services (AWS) Rekognition, a machine-learning-based image and video analysis service, to detect and prevent prohibited content (including NSFW, violent, and otherwise objectionable material) from being published on the Platform. This scanning occurs before content is made visible to any user.
- Payment processing: Facilitating subscription payments and Creator payouts through Razorpay.
- Communication: Sending you transactional emails (subscription confirmations, payout notifications, account security alerts) and, where you have opted in, service-related announcements.
- Security and fraud prevention: Detecting, investigating, and preventing fraudulent transactions, unauthorized access, and other illegal activities.
- Legal compliance: Complying with applicable laws, regulations, legal processes, or government requests.
- Platform improvement: Analyzing usage patterns to improve the Platform’s functionality, performance, and user experience. We do not use third-party analytics tools at this time; analysis is conducted using our own database queries.
4. How We Share Your Information
We do not sell, rent, or trade your personal information to advertisers, data brokers, or any other third parties for their marketing purposes.
We share your information only in the following limited circumstances:
4.1 Service Providers
- Razorpay (Payment Processor): Payment transaction data is shared securely with Razorpay for processing subscription payments and Creator payouts. Razorpay is a RBI-licensed payment aggregator and is bound by its own privacy and security policies.
- Amazon Web Services (AWS) (Content Moderation): Uploaded media files are transmitted securely to AWS Rekognition for automated content moderation scanning. AWS processes this data in accordance with the AWS Privacy Policy.
- Supabase (Authentication and Database): User account data and application data are stored in our Supabase database with Row-Level Security (RLS) policies ensuring data isolation between users.
- Cloudflare (Media Storage and CDN): Creator- uploaded media files are stored on Cloudflare R2 and served through Cloudflare’s network. Access to media is controlled via signed URLs.
- Resend (Email Service): Transactional email data (email address, email content) is shared with Resend for delivering notifications and account communications.
- Vercel (Hosting): Our frontend application is hosted on Vercel. Server-side rendering requests may process user request data through Vercel’s infrastructure.
4.2 Legal Requirements
We may disclose your information if required to do so by law, court order, or government authority, or if we believe in good faith that such disclosure is necessary to comply with legal obligations, protect our rights or safety, prevent fraud, or respond to an emergency involving the safety of any person.
4.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change via a prominent notice on the Platform or by email.
5. Data Storage & Security
5.1 Storage
Your data is stored on secure servers provided by our infrastructure partners (Supabase for database, Cloudflare R2 for media storage). Data may be stored and processed in data center locations outside of India as determined by our infrastructure providers, in compliance with applicable data protection laws.
5.2 Security Measures
We implement industry-standard security measures to protect your data, including:
- Encryption of data in transit using TLS/SSL.
- Encryption of data at rest for sensitive data stores.
- Application-layer AES-256-GCM encryption for stored OAuth tokens (e.g., YouTube refresh tokens).
- Password hashing using secure, salted hashing algorithms (handled by Supabase Auth).
- Row-Level Security (RLS) policies at the database level ensuring users can only access their own data.
- Signed URLs with expiry for media access, preventing unauthorized direct access to stored files.
- Dynamic per-subscriber watermarking on served images to deter unauthorized redistribution.
While we strive to use commercially acceptable means to protect your personal information, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security.
6. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with our services. Specifically:
- Account data: Retained for the duration of your account and for a reasonable period thereafter (up to 180 days) to allow for account recovery or compliance with legal obligations.
- Creator content: Retained for as long as the Creator maintains it on the Platform. Deleted content is removed from our active systems within a reasonable timeframe, though backup copies may persist for up to 90 days.
- Transaction records: Retained for a minimum of 8 years as required under Indian tax and financial regulations (Income Tax Act, 1961 and GST Act, 2017).
- Moderation logs: Records of content moderation actions are retained for compliance and audit purposes.
7. Your Rights
In accordance with applicable Indian law (including the SPDI Rules), you have the following rights regarding your personal data:
- Right to access: You may request a copy of the personal data we hold about you.
- Right to correction: You may request correction of inaccurate or incomplete personal data.
- Right to withdrawal of consent: You may withdraw your consent to the processing of your personal data at any time by contacting us. Note that withdrawal of consent may affect your ability to use certain features of the Platform.
- Right to deletion: You may request deletion of your account and associated personal data. Please note that certain data may be retained as required by law (see Section 6).
To exercise any of these rights, please contact us at [Insert Support Email]. We will respond to your request within 30 days.
8. Third-Party Links & Services
The Platform may contain links to third-party websites or services (including YouTube, Razorpay, and Google). We are not responsible for the privacy practices, content, or security of these third-party services. We encourage you to review their privacy policies before providing them with your personal information.
9. Cookies & Local Storage
The Platform uses the following types of cookies and local storage:
- Essential/authentication cookies: Required for maintaining your login session and ensuring the security of your account. These cannot be disabled without affecting Platform functionality.
- Preference cookies: Used to remember your settings and preferences (e.g., theme selection).
We do not use advertising or tracking cookies. We do not use third-party analytics cookies (e.g., Google Analytics, PostHog).
10. Children’s Privacy
Nanbu is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take immediate steps to delete such information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [Insert Support Email].
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised “Last updated” date and, where appropriate, by sending a notification to your registered email address. We encourage you to review this page periodically.
12. Grievance Officer
In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer to address your concerns regarding data privacy:
- Name: [Insert Grievance Officer Name]
- Email: [Insert Grievance Officer Email]
- Address: [Insert Registered Address]
Grievances will be acknowledged within 24 hours and resolved within 15 days of receipt, as required by the IT Intermediary Rules.
13. Contact Us
For questions or concerns about this Privacy Policy, please contact us:
- [Insert Company Name]
- Email: [Insert Support Email]
- Address: [Insert Registered Address]
You may also visit our Contact Us page for additional ways to reach us.